Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to exclude a specific value from a column?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
rosho
Communicator
06-18-2019
02:15 PM
Hi
I have a table with 2 columns: "_time" and "isOutlier".
I want to remove all the fields with the value = 1 from the column "isOutlier".
Is there any command?
Thank you
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
rosho
Communicator
06-19-2019
07:09 AM
This is the answer! haha! 🙂
| inputlookup fortigate_QC_May2019_logins.csv
| fit StandardScaler "logins" with_mean=false with_std=true
| fit LocalOutlierFactor "SS_logins" n_neighbors=10 algorithm=auto metric=minkowski p=2 contamination=0.1 leaf_size=30
| where NOT isOutlier==1
| table _time, SS_logins
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
rosho
Communicator
06-19-2019
07:09 AM
This is the answer! haha! 🙂
| inputlookup fortigate_QC_May2019_logins.csv
| fit StandardScaler "logins" with_mean=false with_std=true
| fit LocalOutlierFactor "SS_logins" n_neighbors=10 algorithm=auto metric=minkowski p=2 contamination=0.1 leaf_size=30
| where NOT isOutlier==1
| table _time, SS_logins
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
adonio
Ultra Champion
06-18-2019
07:28 PM
try this:
... your search ... | where isOutlier!=1
or this
... your search ... | search isOutlier!=1
hope it helps
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
rosho
Communicator
06-19-2019
06:42 AM
But then how I remove the whole row?
This is my SPL:
| inputlookup fortigate_QC_May2019_logins.csv
| fit StandardScaler "logins" with_mean=false with_std=true
| fit LocalOutlierFactor "SS_logins" n_neighbors=10 algorithm=auto metric=minkowski p=2 contamination=0.1 leaf_size=30
| IT IS HERE WHERE I HAVE TO REMOVE THE WHOLE ROW WITH THE OUTLIER
| table _time, isOutlier
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
kmorris_splunk
Splunk Employee
06-18-2019
07:07 PM
If you just want to filter out the events that are outliers, then you simply have to use isOutlier=0 or isOutlier!=1 in your base search. Unless I am not understanding your goal correctly.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
rosho
Communicator
06-19-2019
06:35 AM
Yes, but then I want to remove the whole row.
So If I have 744 rows with 10 outliers; I will end up with 764 rows.
Get Updates on the Splunk Community!
What's New in Splunk Observability - October 2025
What’s New? We’re excited to announce the latest enhancements to Splunk Observability Cloud and share what’s ...
🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2
🗣 You Spoke, We Listened Audit Trail v2 wasn’t written in isolation—it was shaped by your voices. In ...
Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...
Prepare to elevate your security operations with the powerful upgrade to Splunk Enterprise Security 8.x! This ...
